The Avast Sandbox should do the trick...
It has a feature called Virtualized Folders, it allows the users to select folders from where any executed applications will be sandboxed.
In the previous versions wildcarded paths didn't work (despite saying it does), only full paths.. And it wasn't taking the sandox exclusions into account when automatically virtualizing files from the selected locations.
Now, how this may be used? Well software restrictions policies appeared to be really effective against many types of malware incl. ransomware. The list of locations could be found here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#preventAnyway, if the component is fixed i.e. the wildcards work and it consults with the SB exclusions prior to sandbox a process from a virtualized folder, I don't see why this could not be used? Obviously this will not protect the systems if the source is an exploited software, but at least is something.
I installed the beta version today to check if these have been fixed, but *oh the irony*, I had to deal with a Cryptowall Infection on a ~40 computers network..
I will test tomorrow and let you know.